Display Replication Partners and Status of a Domain Controller

When troubleshooting replication errors, it is helpful to know who are the replication partners of a specific domain controller and the status of replication with each of those partners.

Repadmin /showrepl displays the replication partners (RepsFrom and RepsTo) for each naming context that is held on the specified domain controller. By enumerating each RepsFrom and each RepsTo for each domain controller, you can visualize the replication topology for each naming context.

It also indicates whether the domain controller is also a global catalog server. Inbound replica links are displayed by default. Outbound links can also be shown, as well as connections that correspond to those links. The command also displays errors that correspond to replica links that cannot be created by the Knowledge Consistency Checker (KCC). This helps the administrator build a visual representation of the replication topology and see the role of each directory server in the replication process.

Syntax

Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. See above for detailed syntax. For details about <DC_LIST>, see repadmin /listhelp.

SourceDCObjectGUID

Specifies the unique hexadecimal number that identifies the object whose replication events will be listed.

NamingContext

Specifies the distinguished name of the directory partition.

/verbose

Lists detailed information.

/nocache

Specifies that globally unique identifiers (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

/repsto

Lists the directory servers that pull replication information from the specified directory partition. To see the outbound neighbors, specify /repsto or /all.

/conn

Displays the connection objects that are associated with each link.

/csv

Displays the output of the repadmin /showrepl operation in a Comma Separated Variable (CSV) format for viewing and analysis in Microsoft Excel. Repadmin supports redirection of screen output to a file.

/all

Displays all replication partners.

/errorsonly

Only shows the partnership if it has an error associated with it.

/intersite

Only shows this partnership if the source server belongs to a different site than the site of the server on which the command is being run.

Show replication partners and replication status

The following example uses the showrepl operation of repadmin to display the replication status of ROOTDNS in relation to its partners. In our example, there are no problems reported because replication is running properly. There is lot of information one could gather from this output and please read the comments next to each line explaining what it means.

In the output under INBOUND NEIGHBORS, repadmin.exe shows the Lightweight Directory Access Protocol (LDAP) distinguished name of each directory partition for which inbound directory replication has been attempted, the site and name of the source domain controller, and whether it succeeded or not, as follows:

Last attempt @ YYYY-MM-DD HH:MM.SS was successful.

Last attempt @ [Never] was successful.

If repadmin.exe reports any of the following conditions, further investigation is required:

The last successful inter-site replication was prior to the last scheduled replication.

The last intra-site replication was longer than one hour ago.

Replication was never successful.

DC Object GUID is a reference point used in the Active Directory and Domain Name System (DNS) to locate a domain controller primarily for the purposes of replication. This GUID is automatically generated for each domain controller, is unique when created, and will not be duplicated.

DC invocationID – Active Directory database has its own GUID, which the Directory System Agent (DSA) uses to identify the database instance (version of the database). The database GUID is stored in the invocationId attribute on the nTDSDSA object. Although the DSA GUID never changes for the lifetime of the domain controller, the Active Directory database GUID (also known as the invocation ID or database signature) is changed during the Active Directory restore process to ensure the consistency of the replication process. In Windows Server 2003, it changes when application directory partitions are removed or added to the domain controller.

Using repadmin /showrepl to display detailed and precise information

The following showrepl output is returned by combining <Naming Context> and /verbose.

For two domain controllers to engage in replication, they have to first resolve each other’s GUID CNAME to a host name and the host name to an IP address, such as the following:

2a92f776-6c0f-4cb4-a111-f5dcd447af6c._msdcs.contoso.com is the GUID CNAME registration in DNS.

High-watermark value

The high-watermark value is not required for any administrative task. However, it can help you deduce the state of progress on that replication link. You can see the high-watermark in the output of the repadmin /showrepl /verbose command in Figure 3.2.2. Look for lines that begin with USNs:. The high-watermark USN is the number that is followed by /OU.

The object update (OU) USN saves the position when in the middle of a replication cycle. It stays the same as the property update (PU) when replication is not occurring, and increases during a replication cycle. At the end of the cycle, the final USN replicated becomes the PU value and the OU is left to match. Thus, the OU indicates progress within a cycle, and the PU indicates the last update seen at the conclusion of a successful cycle. A PU of zero means that the link has never completed a successful cycle, as is the case when performing its first synchronization on a new domain controller connection. If the OU and PU are not equal, it means a replication cycle is in progress.

The following table lists nbrflagoptions, which are flags that define expected replication actions with its partner.

Nbrflagoptions

Meaning

WRITEABLE

The local copy of the naming context is writable.

SYNC_ON_STARTUP

Replication of this naming context from this source is attempted when the destination server is booted. This normally only applies to intrasite neighbors.

DO_SCHEDULED_SYNCS

Perform replication on a schedule. This flag is normally set unless the schedule for this naming context/source is "never," that is, the empty schedule.

Showing outbound neighbors

By default, repadmin /showrepl does not display outbound neighbors, as with previous versions. The /repsto parameter provides this feature, as shown in Figure 3.2.5.

Some of the repadmin /showrepl Error Messages and their root cause

The following table lists some repadmin /showrepl errors and their root cause. The next sections after the table explain some errors in more detail.

If no items appear in the “Inbound Neighbors” section of the output generated by the repadmin /showrepl command, the domain controller could not establish replication links with another domain controller.

A replication link exists between two domain controllers, but replication cannot be properly performed.

Last attempt at <date - time> failed with the “Target account name is incorrect.”

This problem can be related to connectivity, DNS, or authentication issues.

If it is a DNS error, the local domain controller could not resolve the GUID–based DNS name of its replication partner.

No more end point

This can be caused because no more end-points are available to establish the TCP session with the replication partner.

This error can also result when the replication partner can be contacted, but its RPC interface is not registered. This usually indicates that the domain controller’s DNS name is registered but with the wrong IP address.

LDAP Error 49

The domain controller computer account might not be synchronized with the Key Distribution Center (KDC).

The KCC successfully created the replication link between the local domain controller and its replication partner, but because of the schedule or possible bridgehead overload, replication has not occurred.

A large backlog of inbound replication must be performed on this domain controller.

No inbound neighbors

A “no inbound neighbor” error appears in the repadmin /showrepl command output when one or more of the following conditions exists:

No connection object exists to indicate which domain controller(s) this domain controller should replicate from. These connection objects are typically created by the KCC. However, in some environments, administrators have turned off the part of KCC (Intersite) that creates connection objects for inbound replication from domain controllers in other sites, relying on manual connections instead.

One or more connection objects exist, but the domain controller cannot contact the source domain controller to create the replication links. In this case, the KCC logs events each time it runs (by default, every 15 minutes) detailing the error that occurred when it attempted to add the replication links.

Existing replication links has been inadvertently deleted in between KCC executions.

Repadmin in this scenario could be used only to diagnose. The following table explains subcommand usage that can help you diagnose the problems leading to this situation.

Subcommand

Description

Repadmin /showrepl

Verify replication status.

Repadmin /showconn

Verify whether a valid connection object exists between the source and destination.

Repadmin /failcache

Resolve the underlying connection translation problems. For more information about using Repadmin /failcache, see Repadmin /failcache.

Repadmin /KCC

Ensure that a connection object (Automatic or Manual) has been created properly between the domain controller and its replication partner. And then force the KCC to run so that the connection object is translated to an appropriate replication link.

Active Directory replication has been preempted

When Active Directory replication has been preempted, an inbound replication in progress was interrupted by a higher priority replication request. An example of a higher priority replication request is a request generated manually by using the repadmin /sync command.

Repadmin in this scenario could be used only to diagnose. The following table explains subcommand usage that can help you diagnose the problems leading to this situation.

Subcommand

Description

Repadmin /showrepl

Verify replication status.

Repadmin /queue

Check how many inbound synchronizations are in the queue.

Last attempt @ never was successful

Last attempt @ never was successful error typically indicates that KCC successfully created the replication link between the local domain controller and its replication partner, but because of the schedule or possible bridgehead overload, replication has not occurred.

Repadmin in this scenario may be used for both diagnosis and resolution. The following table explains subcommand usage that can help you diagnose or solve the problems.

Subcommand

Description

Repadmin /showrepl

Verify replication status.

Repadmin /queue

Check how many inbound synchronizations are in the queue.

Repadmin /sync

Synchronize replication from a source domain controller.

Access denied

This error indicates that the local domain controller failed to authenticate against its replication partner when creating the replication link or when trying to replicate over an existing link. This typically happens when the domain controller has been disconnected from the rest of the network for a long time and its computer account password is not synchronized with the computer account password that is stored in the Active Directory of its replication partner.